I'm wondering if a fuzzy password system would be in any way beneficial to users, or worth implementing.

The idea would be that a certain margin of error is acceptable for allowing the user to log in.

Things would be kept track of like what the user remembers best about the original password and what they obviously never seem to recall at all.

The user would be allowed and/or expected to slightly change their password with each attempt.

They would be expected to be sticking with their "fuzzy" recollection of the password. Going back numerous stages might be expected, but remembering the password in a grossly accurate manner would not.

Allowed numbers of attempts per day would also change gradually based on the user's difficulty in logging in. If the user managed to hit one or more of their previously remembered fuzzy recollections of the password, then the assumption would be made that they legitimately are having "trouble", some error margin would be temporarily increased, and they would be asked to try again the next day. With the slightly increased error margin, they might be in luck. If they still fail, they might be S.O.L.

The idea is that the users might be lacking the usually expected level of either sophistication or completeness in their brains, and so some automatic compensation might be needed to allow them to make errors in authenticating their identity but still have normal access to services.

3 Answers
3

A "fuzzy password system" is a system which accepts several distinct passwords as valid (all the variants over a base password). Correspondingly, it decreases the password strength, thus the security of the system (an attacker who tries possible passwords does not need to hit the exact password, an approximation would be enough). In a password-based system, the password is already the weakest point, so making it even weaker does not seem to be a very good idea.

Accepting the password to be "fuzzy" would be good if it convinced users to choose longer, more random passwords (since they don't have to remember it exactly, they can afford more complexity). However, I strongly doubt typical users would seize the occasion and select so much stronger passwords that it would more than compensate the decrease in security implied by the acceptance of passwords with small mistakes. I even doubt it would make users change their password selection habits at all.

heise.de, a german IT-news site, just implemented fuzzy passwords in their forum.

They evaluated their logs and figured out, that many users logging in from a mobile device needed 2 to 3 attempts to input the correct password.
This is due to the small on screen keyboards on mobile devices, making it far more complicated to write the correct password.
After the failed attempts almost every time the correct password was inserted, so a break in from another person into that account was barred.

To minimize the failed attempts, they implement the fuzzy password system.

Assuming you follow basic guidelines about hashing passwords, the implementation of your concept is not doable.

You would either hash and store a bunch of passwords for each user, or store the actual hash and derive the password yourself to compute affiliated hashes to be compared.
In the first case, the amount of allocated space is absurd; in the second case, it basically makes your server bruteforce your own hashes.

Furthermore, if you use a salt and a password-based key derivation function such as bcrypt, the verification of "fuzzy" passwords could take seconds. Whenever it is, you will probably see it as unacceptable in terms of server load.

Finally, the whole concept of a fuzzy password looks weird. A password is designed to be an exact knowledge that allow systems to authenticate you. Allowing someone to provide an approximate password would just decrease security.

That is not necessarily true; you could take a given password, apply a number of fuzzes and hope it matches after running through the hash. That said, still not an improvement on security, there are better ways to address the user memory issue.
– Eric GMar 1 '13 at 1:52